Search Results (848 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2019-25544 1 Pidgin 1 Pidgin 2026-04-16 6.2 Medium
Pidgin 2.13.0 contains a denial of service vulnerability that allows local attackers to crash the application by providing an excessively long username string during account creation. Attackers can input a buffer of 1000 characters in the username field and trigger a crash when joining a chat, causing the application to become unavailable.
CVE-2019-25594 1 Xlinesoft 1 Phprunner 2026-04-16 6.2 Medium
ASPRunner.NET 10.1 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the table name field. Attackers can input a buffer of 10000 characters in the table name parameter during database table creation to trigger an application crash.
CVE-2026-27707 2 Seerr, Seerr-team 2 Seerr, Seerr 2026-04-16 7.3 High
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth/jellyfin` allows an unauthenticated attacker to register a new Seerr account on any Plex-configured instance by authenticating with an attacker-controlled Jellyfin server. The attacker receives an authenticated session and can immediately use the application with default permissions, including the ability to submit media requests to Radarr/Sonarr. Any Seerr deployment where all three of the following are true may be vulnerable: `settings.main.mediaServerType` is set to `PLEX` (the most common deployment).; `settings.jellyfin.ip` is set to `""` (default, meaning Jellyfin was never configured); and `settings.main.newPlexLogin` is set to `true` (default). Jellyfin-configured and Emby-configured deployments are not affected. Version 3.1.0 of Seerr fixes this issue.
CVE-2026-32732 1 Leanprover 1 Vscode-lean4 2026-04-16 N/A
Lean 4 VS Code Extension is a Visual Studio Code extension for the Lean 4 proof assistant. Projects that use @leanprover/unicode-input-component are vulnerable to an XSS exploit in 0.1.9 of the package and lower. The component re-inserted text in the input element back into the input element as unescaped HTML. The issue has been resolved in 0.2.0.
CVE-2026-35617 1 Openclaw 1 Openclaw 2026-04-16 4.2 Medium
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement that relies on mutable space display names. Attackers can rebind group policies by changing or colliding space display names to gain unauthorized access to protected resources.
CVE-2026-20849 1 Microsoft 23 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 20 more 2026-04-16 7.5 High
Reliance on untrusted inputs in a security decision in Windows Kerberos allows an authorized attacker to elevate privileges over a network.
CVE-2026-22422 2 Wordpress, Wpeverest 2 Wordpress, Everest Forms 2026-04-16 5.3 Medium
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in wpeverest Everest Forms everest-forms allows Code Injection.This issue affects Everest Forms: from n/a through <= 3.4.1.
CVE-2006-0149 1 Simpbook 1 Simpbook 2026-04-16 6.1 Medium
Cross-site scripting (XSS) vulnerability in SimpBook 1.0, with html_enable on (the default), allows remote attackers to inject arbitrary web script or HTML via the message field.
CVE-2026-39837 2 Mediawiki, Wikimedia 2 Cargo, Mediawiki-cargo Extension 2026-04-15 5.4 Medium
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
CVE-2026-39839 2 Mediawiki, Wikimedia 2 Cargo, Mediawiki-cargo Extension 2026-04-15 6.1 Medium
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
CVE-2026-21514 1 Microsoft 6 365 Apps, Office 2021, Office 2024 and 3 more 2026-04-15 7.8 High
Reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally.
CVE-2026-5896 4 Apple, Google, Linux and 1 more 4 Macos, Chrome, Linux Kernel and 1 more 2026-04-15 6.1 Medium
Policy bypass in Audio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass sandbox download restrictions via a crafted HTML page. (Chromium security severity: Low)
CVE-2025-11992 1 Wordpress 1 Wordpress 2026-04-15 6.1 Medium
The Multi Item Responsive Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'mioptions.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2023-47513 2026-04-15 5.4 Medium
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in ARI Soft ARI Stream Quiz allows Code Injection.This issue affects ARI Stream Quiz: from n/a through 1.3.2.
CVE-2023-48285 2026-04-15 5.3 Medium
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Tips and Tricks HQ Stripe Payments allows Code Injection.This issue affects Stripe Payments: from n/a through 2.0.79.
CVE-2025-14186 1 Grandstream 1 Gxp1625 2026-04-15 3.5 Low
A security flaw has been discovered in Grandstream GXP1625 1.0.7.4. The impacted element is an unknown function of the file /cgi-bin/api.values.post of the component Network Status Page. Performing manipulation of the argument vpn_ip results in basic cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-21510 1 Redhat 1 Enterprise Linux 2026-04-15 5.4 Medium
Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.
CVE-2025-7048 1 Arista 1 Eos 2026-04-15 4.3 Medium
On affected platforms running Arista EOS with MACsec configuration, a specially crafted packet can cause the MACsec process to terminate unexpectedly. Continuous receipt of these packets with certain MACsec configurations can cause longer term disruption of dataplane traffic.
CVE-2024-24874 2026-04-15 5.3 Medium
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in CodePeople CP Polls allows Code Injection.This issue affects CP Polls: from n/a through 1.0.71.
CVE-2025-45160 1 Cacti 1 Cacti 2026-04-15 5.4 Medium
A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject arbitrary HTML elements (e.g., <h1>, <b>, <svg>) into the rendered page. NOTE: Multiple third-parties including the maintainer have stated that they cannot reproduce this issue after 1.2.27.